Description
pkg/node/info.go:NormalizeNodeURI allows http:// for any address, not just localhost/loopback. While avalanchego's info client may not follow redirects, enforcing localhost-only for HTTP is defense-in-depth.
Current behavior
Any address without a scheme gets http:// prepended:
if !strings.HasPrefix(addr, "http://") && !strings.HasPrefix(addr, "https://") {
addr = "http://" + addr
}Expected behavior
Only allow http:// for localhost/loopback addresses. Require https:// for remote nodes.
Suggested fix
if parsed.Scheme == "http" {
host := parsed.Hostname()
if !isLocalhost(host) {
return "", fmt.Errorf("http:// only allowed for localhost (use https:// for remote nodes)")
}
}Severity
Minor - defense-in-depth improvement
Source
Production readiness audit (2026-02-09)
Description
pkg/node/info.go:NormalizeNodeURIallowshttp://for any address, not just localhost/loopback. While avalanchego's info client may not follow redirects, enforcing localhost-only for HTTP is defense-in-depth.Current behavior
Any address without a scheme gets
http://prepended:Expected behavior
Only allow
http://for localhost/loopback addresses. Requirehttps://for remote nodes.Suggested fix
Severity
Minor - defense-in-depth improvement
Source
Production readiness audit (2026-02-09)